[Global]
use-clouds = true
clouds-file = /etc/openstack/secret/clouds.yaml
cloud = openstack
...
[LoadBalancer]
use-octavia = true
enabled = true (1)
In OKD 4.12, clusters that run on OpenStack are switched from the legacy OpenStack cloud provider to the external OpenStack Cloud Controller Manager (CCM). This change follows the move in Kubernetes from in-tree, legacy cloud providers to external cloud providers that are implemented by using the Cloud Controller Manager.
To preserve user-defined configurations for the legacy cloud provider, existing configurations are mapped to new ones as part of the migration process. It searches for a configuration called cloud-provider-config
in the openshift-config
namespace.
The config map name cloud-provider-config is not statically configured. It is derived from the spec.cloudConfig.name value in the infrastructure/cluster CRD.
|
Found configurations are synchronized to the cloud-conf
config map in the openshift-cloud-controller-manager
namespace.
As part of this synchronization, the OpenStack CCM Operator alters the new config map such that its properties are compatible with the external cloud provider. The file is changed in the following ways:
The [Global] secret-name
, [Global] secret-namespace
, and [Global] kubeconfig-path
options are removed. They do not apply to the external cloud provider.
The [Global] use-clouds
, [Global] clouds-file
, and [Global] cloud
options are added.
The entire [BlockStorage]
section is removed. External cloud providers no longer perform storage operations. Block storage configuration is managed by the Cinder CSI driver.
Additionally, the CCM Operator enforces a number of default options. Values for these options are always overriden as follows:
[Global]
use-clouds = true
clouds-file = /etc/openstack/secret/clouds.yaml
cloud = openstack
...
[LoadBalancer]
use-octavia = true
enabled = true (1)
1 | If the network is configured to use Kuryr, this value is false . |
The clouds-value
value, /etc/openstack/secret/clouds.yaml
, is mapped to the openstack-cloud-credentials
config in the openshift-cloud-controller-manager
namespace. You can modify the OpenStack cloud in this file as you do any other clouds.yaml
file.
An OpenStack CCM config map defines how your cluster interacts with your OpenStack cloud. By default, this configuration is stored under the cloud.conf
key in the cloud-conf
config map in the openshift-cloud-controller-manager
namespace.
The To change the settings that are described by the As part of this synchronization, the CCM Operator overrides some options. For more information, see "The OpenStack Cloud Controller Manager". |
For example:
cloud-conf
config mapapiVersion: v1
data:
cloud.conf: |
[Global] (1)
secret-name = openstack-credentials
secret-namespace = kube-system
region = regionOne
[LoadBalancer]
use-octavia = True
kind: ConfigMap
metadata:
creationTimestamp: "2022-12-20T17:01:08Z"
name: cloud-conf
namespace: openshift-cloud-controller-manager
resourceVersion: "2519"
uid: cbbeedaf-41ed-41c2-9f37-4885732d3677
1 | Set global options by using a clouds.yaml file rather than modifying the config map. |
The following options are present in the config map. Except when indicated otherwise, they are mandatory for clusters that run on OpenStack.
CCM supports several load balancer options for deployments that use Octavia.
Neutron-LBaaS support is deprecated. |
Option | Description |
---|---|
|
Whether or not to enable the |
|
Optional. The external network used to create floating IP addresses for load balancer virtual IP addresses (VIPs). If there are multiple external networks in the cloud, this option must be set or the user must specify |
|
Optional. The external network subnet used to create floating IP addresses for the load balancer VIP. Can be overridden by the service annotation |
|
Optional. A name pattern (glob or regular expression if starting with |
|
Optional. Tags for the external network subnet used to create floating IP addresses for the load balancer VIP. Can be overridden by the service annotation If the OpenStack network is configured with sharing disabled, for example, with the |
|
The load balancing algorithm used to create the load balancer pool.
For the Amphora provider the value can be For the OVN provider, only the For the Amphora provider, if using the |
|
Optional. Used to specify the provider of the load balancer, for example, |
|
Optional. The load balancer API version. Only |
|
The ID of the Networking service subnet on which load balancer VIPs are created. |
|
The ID of the Networking service network on which load balancer VIPs are created. Unnecessary if |
|
Whether or not to create a health monitor for the service load balancer. A health monitor is required for services that declare This option is unsupported if you use OpenStack earlier than version 17 with the |
|
The interval in seconds by which probes are sent to members of the load balancer. The default value is |
|
The number of successful checks that are required to change the operating status of a load balancer member to |
|
The time in seconds that a monitor waits to connect to the back end before it times out. The default value is |
|
Whether or not to create an internal load balancer without floating IP addresses. The default value is |
|
This is a config section that comprises a set of options:
The behavior of these options is the same as that of the identically named options in the load balancer section of the CCM config file. You can set the |
|
The maximum number of services that can share a load balancer. The default value is |
The CCM Operator overrides the following options, which you might recognize from configuring OpenStack. Do not configure them yourself. They are included in this document for informational purposes only.
Option | Description |
---|---|
|
The OpenStack Identity service URL. For example, |
|
The type of endpoint to use from the service catalog. |
|
The Identity service user name. |
|
The Identity service user password. |
|
The Identity service user domain ID. |
|
The Identity service user domain name. |
|
The Identity service project ID. Leave this option unset if you are using Identity service application credentials. In version 3 of the Identity API, which changed the identifier |
|
The Identity service project name. |
|
The Identity service project domain ID. |
|
The Identity service project domain name. |
|
The Identity service user domain ID. |
|
The Identity service user domain name. |
|
Whether or not to fetch authorization credentials from a CCM searches for the file in the following places:
|
|
The file path of a |
|
The named cloud in the |